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(57) Abstract: An online machine data collection 
and archiving process (15) generates a machine data 
profile (18) of a customer computer (5) accessing a 
transaction form of a merchant web site (3) and links the 
machine data profile (18) and a transaction record (6) 
with customer identifying information using a unique 
transaction identification string. The process preferably 
captures parameters typically communicated as part of 
web accesses, such as an IP address, an HTTP header, 
and cookie information. The process additionally causes 
the customer computer (5) to process self-identification 
routines by processing coding within the merchant 
transaction form, the self-identification routines 
yielding further profile parameters. The process further 
includes a routine for bypassing an intervening proxy 
to the merchant web site (3) to reveal the true IP address 
of the customer computer (5). 
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For tw(hletter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes andAbbreviations" appearing at the begin- 
ning of each regular issue of the PCT Gazette. 
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1 ONMNEMAC™roDATACOIJj:CTI0NA]W 

2 

3 < 7 ^iBs.Refereif PA ta Prftvigional Applicatioii 

4 This appfication claims benefits from provisional application, SerialNo. 

5 60/209,936 filed June 7. 2000 and entitledMBTHOD FOR COIIBCTINGMACHINB 

6 DATAEROM CUSTOMERS ON ACOMPUTERNETWOHK. 

g Bflffk yronnd o f the Invention 

9 TSiepn^ent invention relates to identity detection tecMquw 

1 0 particulariy, to a process for collecting and utilizing machine-identi^ data of conaputers 

11 and otiier online appKances used in online interactions and transaction 

12 collected machine data witii such onlihe interactions. 

13 Theinteraet,orglol>aiconjputernetworit,representsanewmedin^ 

14 siniilartotiiewmaaorderii«andtelephoneorderii«didinthep Adownsideof 

1 5 internet matfceting is that it also presents new opportunities for unscrupulous persons to 

16 take advantage ofthe mechanisms ofinteniet transactions by i&audul^^^ 

17 practices. M^chants and financial institutions bear tiie init^ costs of fraud. However, 

1 8 consumers uWmatefy pay the costs in the fonn of prices and crea rates wWdi must take 

19 into account losses from fraud, Intemet purdiases ^icaUy involve the use of web page 

20 forms which are filled in by th^ customer witii idtrntity, address, punAase, shipph^g, and 
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2 
3 



5 
6 



8 
9 



paymentinfonnationandsubimtterftotheoiilme.^^ ji^^et 
purchasesafeii«>stoftenpaidforbywayofca^t^^ While a merchants so W 
my be able to verify the existeiH^e and status of a ^ 
4 authoriration for a specific amount, the merchant is often not able to match a «edit card 
numberwitbaspedficpunWorshipplngaddiess. Unis, absent any ov^in<fication 
otherwise, amerchant generally assumes that anyone usi^g a credft card is aiithoifeedto 
7 do so and that a customer is who he identifies Wmself to be. 

An important step in combatii^ fi^d is accurate identification of the computers 
throi^gh whidi customers make transactions and assodating such identities with 

10 t^actionswhicharousesuq,idonsorwhichultimatelyto Basic 

11 ««<*ineid«rtityisessentiaItothemamierinwhichtheinte^^ Wespeafcin 

12 t«n»«ofVinrtaawebsit^.Inrea%Wtoaw^ 

13 ferawebpagefileinadirectorjrorfolderonacomputerlocatedat ai^cintemet 

14 P«>to°?UrIP,add,^.lhonlerlbrthewebpagefiIetobei^ 

15 «>«>P"terforprocessingintoadispIayedVebp^,theiequ^ 

16 "<«r«*Jons»inthefi>mofthebasicidentilyofthe,^e^ 

17 address. Some sites are implemented with software ^ch enables 

18 P^erequeststobetaaoredtospedficsoftherequestingnkc^^^^ 

19 w«»>browser,andtheIike.Forthis,easo«.cur,«„tver^^^ 

20 «>»«»«iioateconfl^ 
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1 The IF ad(fressofa page requesting computer can give an mdication of the spe(^ 

2 countiy where the coinputer is located FUrtherJdm 

3 computer can also recognize a retuimng user uang the same computer as during a 

4 previous access. For example, placing anHTTP (hypertext transfer protocol) "cookie on 

5 a page-requestmg computer can make it possible to identify the conqwtter on a later 

6 access. 

7 Because direct interaction vnth a customer's computer is essential in d^ectmg 

8 fraud, ft has been assumed that any viable fraud detection software must be integrated \^ 

9 a merchant's software. As a result, most existing fraud detection solutions require 

10 merchants to either abandon or extenswely modify their existing web-based transaction 

11 processmg software. An additional problem with fi)cusmg fraud detection at single 

12 merchants is that perpetrators of fiaud often hit many merchants m an attempt to avoid or 

13 delay detection. Thus, an ideal system for fraud detection hi onlme marketing would only 

14 iniiimianyaflfecttiiemeix^iant'sexistmg software and would ro^ 

15 through a central, thkd-partyemtify serving a large muWtude of merclwnts. 

17 ffi^fnmarv of the Invention 

18 The present invention P«)vides a process for collecting data associated with a 

19 customer's computer duririg access ofa merchant, financial, other host wdjsite^ 

2 0 assodatiog a transaction identification number with the data and with a transaction form of 

21 tiiem^Gbant. Generally, the present kveotion captures machbe identifying^ 
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1 computer or other digital ajipHance accesstng a host web sites, s^ds the captured data to a 

2 madii&e data ardiive along with a unique transaction identification string for storage m the 

3 archive and writes the same transaction identification string mto a transaction fi>nn 

4 through which transactions with the host web site are conducted. Themachmedatals, 

5 finis, associated wifii fiie customer identification data wifiun the transaction finm by w^ 

6 of the transaction identification string and can be used on-the-fljr or at a later time for a 

7 -variety ofpuiposes including, but not limited to, fisuddetectioa Although the teim 

8 "archive" is used, the madime data collected need not be stored pennanently. 

9 T*en»obine data collection process ofthe present invention is intended to be 

1 0 employed in a variety of ^plications including but not limited to: onfine purchases and 

11 orders; online banking, bill payment, and fimds transfers; online r^istrations,such^ 

12 inembersh^s, product wafrBnfies,{q)plication8 for credit 

13 licenses; online technical support; and the like. Thetenn'*tfansaction'* is usedintiie 

14 present invention to describe an hiteraction efifected between a digital ^fiance and a host 

15 system. However, the term '^ansaction" is not hitended to be restricted to onfy 

16 commercial interactions involving purchases. The term "transaction" is intended to appfy 

17 to an interaction of a remote digital appliance with a host system usuig a relafivdy 

1 8 anonymous type of access process over a digital medhnn mi which some fi)rm of self- 

19 identification ofthe accessiflg appliance is inherent in the access process and in 

20 true identity oftheaccessh^ party, the true souiw address oftheappKance on the 
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1 medium, and/or the trae madiine characterisdcs of the accessing appUance is/are jBsseitial 

2 or desirable to the interaction. 

3 The host entfty which operates tbe host system accessed is mtended to encompass 

4 a commercial, financial, educational, govaranental, assodational, or other type of entity. 

5 The temi'inerchant" Witt be used herein to refer to such a host entity 

6 Imiit the present mvention to commerdal transactions. The medium of access is mtended 

7 to be itttopxeted as induding a global compute netwoik sudi as the mtemet or world 

8 wide vrdb, as weB as othertypes of networks vMck maybe less than global but which are 

9 publicly and/or anonymousty accessible. The term •%temef"win be used herdn to refer 

10 to the medrom through v^ch accesses to the host enthy are made. The terms "customer 

11 compute' or "machme" are used her&n to refer to a device for effecting remote access to 

12 a host system over a digital metoa and are meant to encompass not only conventional 

1 3 types of personal computers, but also additional types of "(figital appliances" with online 

14 access cvabiBties, such as: cdl phones, personal digital asdstant devices, electromc game 

15 systems, tdevision sets with onUne access c^abilities, web ^pliances for vehicles, and 

16 any otiier type of device with online access c^abiMes v^eth^ connected to a wired 

1 7 commumcations network directiy or by a radiant technology. 

1 8 ' The machine data collection process of the pres^ faiveotion contemplates a two 

19 party process emboifiment in Tii^ch a ''nierdianf' processes and/or stores m 

2 0 profiles of customer computers m-house, as well as a three party process embodiment in 
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1 which machine data projGles of customer computers are processed and/or stored for the 

2 merchant by a M-d-par^madiine data coUection and ardiive service. 

3 In ft two party embodiment ofthe data collection process of the present inveatioii^ 

4 the customer machine data is captured by a merdiant or host system which also generates 

5 a unique transaction idnitificaiSon (ID) sftriiig and asagns or a^^ 

6 with a mactoe data profile of the customer machine data profile. Ihthetwoparty^ 

7 process, the men^hant system cq}turescu.stomer computer data w 

. 8 fiom the customer computer to the merdiant- s web site, such as an IP address of the 

9 cus^mer computer and an HTTP header. Additionally, acconliog to the present 

1 0 invention, the merchant w* page code may have routhtes or calls fi>r external routines 

11 which, when processed by the customs computer, cause the customer computer to 

12 fiirther identify itselfbycoUecth^ and r^uinii^ certain machine and sofihvw 

13 <»nfigundonchanu5teristics,wWcb can be used to identify the particul^ 

14 computer. The two party process mi^rindude the geneniiion and setting of an HTTP 

1 5 cookie in the customer browser for recognition upon a later access with the merchant web 

16 site. 

1 7 Although the two-party embodiment of the madiine data collection process of the 

1 8 present invention has utility for some appKcations, the three party embodiment is prefeired 

19 for appUcations in which analysis of a maximum iiumber of customer con^>uterp^ 
,20 desirable, such as certain types ofmarketii^ processes and fiwjd detection and coi^ 
21 processes. In a three embodiment ofthe present invention, the customer machine data of 
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1 computers aceessiiig the second party or merchant web site is communicated to and stored 

2 vdthm a third party system, referred to herein as a machine data archiwsem^^ In the 

3 three party process, the transaction ID could be generated by the merchant system, but is 

4 preferably generated by theardiive service. Theuseofthetenn «arcMve''isnotmeantto 
5 . hidicate that the customer machine data profiles are stored pennanentty within the third 

6 party system. Pennanent storage of such profiles may not be practical, as fer as yiddh^ 

7 beneficial results to tiie purposes for whiditiie profiles are coUected. Thus, tiie term 

8 "archive" is meant to indicate a central storage fedUty, such as a database, witii a selected 

9 retention p«iod, with purging ofmost profiles after a certamlengtii of time. 

10 In the three party process a routine or line ofcode is added into the l^ertext 

11 markup language (BEIML) code v^ch defines tiie merchant's web page, particul^ 

12 order or transaction form page. The added routine issues a request for a machine data 

13 coflectionCMDC) script to the tiurd-party web site when the fonn page code is processed 

14 by tiie customer's browser. When tiiesa:q)t request is received by the machine data 

15 archiving service (N4DAS),tiiearchhre service generates a unique 'trans^ 

1 6 identification (lA/ID) and diedcs for its own cookie. If no MDAS cookie is present, tiie 

17 archive service sends a cookie to the requesting computer along witii a macWne data 

1 8 coUection (MDC) script having tiietransaction ID embedd^ tiierwn. The MDC saipt is 

1 9 ftcecuted by tiie customer's browser, causing collection of certain data firom tiie 

2 0 customer's computer is sent back to tiie archive service along witii tiie transaction 

21 m and stored in 8 machine data profile in tiie machine data archwe. The transaction ID is 
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1 written into the transac^on form, and when the ttMsactionfonnfe 

2 merchant web site, the transaction ID string becomes a part of the transaction data recoixl, 

3 along with customer identification, locatioiv and financial infonnation. 

4 The madiine data mitially collected and stored m each profile preferably includes 

5 the transaction ID, the apparent IP address of the customer's comp^, » conventioda 

6 HTTP header which identifies the customer's browser versions and certam configuration 

7 aspects ofthe browser, and the archive service's cookie. Thecombmationofsuch 

8 infiwmation, mmus the transaction ID, will be relativdy rare but may not be unique. 

9 AdditionaUy, customer fflteot on conductuitgfiwidulent transactions Q 

10 address bdiind HTTP proxies, in order to fijrther narrow the machme profile, in a 

11 pi^feired embodiment ofthe present invention, the MDC script performs 

12 machine profilmg operatbns: genmtion of a machine **fingeiprinr and a pra»^ 

13 "piaidiig" operatioa 

14 In the fingerprint generation operation, the MDC sci^ assembles an attribute 

15 string formed by various attnljutes or configuration settings ofthe browser which 

16 queried by the script. The MDC soipt then performs a conversion process on the 

17 attribute string to generate a fingerprint string haviiig content wMch is a fiin^ 

18 original content ofthe attribute string. The conversion process is prefearably a "hashing" 

19 fimcrion which is, mefiFect, an irreversible enayption algorithm The generation of a 

2 0 conventional checksum is one example of a type of hashing fimctioa For example^ if the 

21 attribnt© string is fimnedlqra^jhammiMiccharacten^ the oonv^ 

8 
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1 on the string of codes representing the charactffs. The particular conversion process or 

2 hashing function used may be one of many types of conventional conversion algorithms or 

3 hashing fimctions, which are typicaUy used for data integrity tests. The resulting string 

4 from the MDC conversion process is a so-called fingerprint, which is returned to the 

5 archive service along with the tonsactionrofijr storage in the machine pw^ Atime 

6 valuer queried from the customer computer time-of-day dock, is returned with tiie 

7 fingerprint stiii^ and stored k coi^nction therewilh. 

8 An HTTP proxy is one ofseveral types ofproxiesthroug^i which a browsa^ may 

9 be setup to operate. Settii« up an HTTP proxy^causesmiP requests to be reteyedb^^^^^ 

1 0 primary gateway, through which the computer actually mtetfiices to the intemet, to a 

11 remotesecondaiy gateway, orprojqr,withanIPaddres8di£ferentfiromtheprimaiy 

12 gatevwqr IP address. Such redirection hides the true IP address of a con^uter. Theprpjgr 

13 pierdng operation of the MDC script quwies the customer computef fijr ray LAN (local 

14 area networic) address wWdi may be asisigned to the conprter and reads the system time 

15 of d^ dock. Then attempts are made to send the LAN address, ifany, the time vatae, 

16 and tiie transaction ID to tiie ardiive service usmg a protocol which win not be redirected 

17 through tiie HTTP projqr, for escample a lower levd protocol such as TCP/IP or UDP 

18 protocols. Iftiie attempt is successful, tiie message contaiifing tiie time vahie, the 

1 9 transaction ID, and LAN address arrive at tiie archive service wd) ate wiith tiie true return 

20 IP address ofthe customer computer, wheflier an HTTP projcy intervenes ornot The 

21 LAN address and IP address so derived are stored m tiie madune profile. Itshouldbe 
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1 noted that the use of an HTTP prcasy is not, of itself an indication of fraud However, the 

2 acquisition of an additional IP address is one nrorepatameterwi^ 

3 particutar computer. 

4 Whe% and i^ the customer submits the transaction form to the merchant, the 

5 transaction ID string is communicated to tiie merchant^ along with otho- customer 

6 infi>nn8tionsudi as name^addi«ss,<aieditcanl number and the like pto 

7 information. Ilie complete transaction record is stored oil the merdiant*s system and is 

8 associated with a specific madihie identity profile within the ardiive service by way of the 

9 transaction ID string. Thereafter, the stored madihie identity profiles and transaction 
records of large numbers of transactions can be analyzed by various fiaud detection 
techniques to detect patterns of fraud and fimid attempts an4 preferably, identify and 
locate the soiaces of such activity. 

The machhie data profiles stored m the archhre service need not be combined with 
the customer identification information fr>r non-suspicious transactions; to thereby 
presCTve the privacy of non-suspidous customers within the machine data archive. 
However; the processes of the present mvention do not require that the customer 
identification information be kept separated fix)m any associated machme data profiles, and 
there may be reasons to combine the associated records. 
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X Brief Descrin tinn of the Drawings 

2 Fig. 1 is a simplified block diagram illustratiiig a pluia% of 

3 machant computers iirterfeced to the internet along wilfe a machine data archivmg service 

4 computer for practicing the machine data collection process of the present inventioa 

5 Pig. 2 is a amplified block diagram ilbistnrtmg connection^ 

6 to the internet, with optional componoits shown in phantom Imes. 

7 Fig. 3 is a flow diagram illustrating principal st^s of the maxMoo data collection 

8 ■■■■ and archiving process according to the present invention. 

9 1^.4 is a flow diagram iUustratmg more detailed steps oftheniadune data 

10 (x>]iection and arcMving process accordiiiig to thie present inmitioa 

11 Pig. 5 is a flow diagram iUustrating a stittfinlfaer detailed steps in tiie madiu^ 

12 coflection and arduviiig process of the present inv^tion. 

13 Various objects and advantages of tiiis invention will become appar^t fi^m tiie 

14 foU(ming description taken in relation to the accompanying drawings wher^ 

15 fortii,bywayofilhistrationandesa«nple,certam«nbodimentsofthism 

16 The drawings constitute a part of this specification, mdude exemplary 

1 7 embodhnente of the present invention, and illustrate various objects and features thereof 
18 

19 
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1 Petafled Pescrintioii of the Liventinii 

2 As required, detafled embodiments of the present invention are disclosed h^eti^ 

3 however, it is to be undemood that tlie disclosed embodiments are merdyexe^ 

4 the mvendon, which may be embodied in various forms. Therefore, specific structural and 

5 fimctioiialdeiyisdisdosedheidnarenottobeintapretedaslii^^ 

S basis for the claims and as a representative ba^ for teachh^ one skilled in the art to 

1 varimi^anp% the present mventionmvutuallyaiQrappropii^^ 

' Referrhig to the drawings in more detail: 

> ThereformoenumerBll (Fig. 3) genoaUy designates 

a process for online collection of machme idoiti^dng or profiling data of conqmters 
involved in commaxaal transactions and for archiving such data to &dliMe analy^ for 
fi^ detection purposes. The process eolleets machine identii^ or profiliQgdttta of 
computers myolved in commerdal transactions and archives sudi data in a third-par^ 
madiine data ardhive s^vice in assodation witii a transacticm identification strintg or ID 
which is also writt^ into a transaction form of a merchant with whom the customer i& 
conductu^ a transacticMi. 

Fig. 1 ilhistrates a plurality of host entities or merchants with conespondiiig 
merchant computers 2, on which are operated merchant web sites 3 which are accessible 
over a global computer network, such as the mtemet 4, hy a phirality of customer 
conq>uters5. The ni^dumt computers 2 execute various programs wMdi enable the sale 
ofproducts or services by way ofthemtemet 4. The merchant web sites 3 typically make 
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1 use of fim type web pages with which the customws 5 interact by filling in various data 

2 Adds, for example, name, address, shaping adidress^ tdephone number, oredit card type 

3 and numb^ and expiration date, and desaiption and quantities of products to be ordered. 

4 The merchant transaction forms are usualfy written in hypertext markup language 

5 (HTML) and may include requ^ fer code written in other laingiiages, sack aa Java and 

6 the like. When a customer 5 accesses a men^ianf s transaction form, a transaction fbnn 

7 file is communicated to the customer's computer witii various data fields displayed as fill- 

8 in boxes or tiie like. The customer fills in the ^propriate fields and sdlects a submit 

9 "button" which activates a routine to transfer the collected information back to the 

10 metchantwebateSfbrprocesang. The returned "form" is a data record 6 wfaidi is 

1 1 stored in a merchmit transaction database 7 for retrieval and processing in due course to- 
la cause tlie ordered items to be gatii^ied, packaged and prepared Ibrs^pmeni^ along w^ 

13 finaiidal processing to debit the customer's oiedit account. The finandal processing may 

14 indudeavafidityd)e<^<^thea«ditiuxx)untandanauthori2atio 

15 purdiase with the credit card issuer. Additionally, inventory management processes are 

16 executed based on tiie items witiidrawnfi^om stock fi)rshipm^t 

17 In a three parQr embodim^ of the present invention, the prooess 1 makes use of 

18 an entity referred to herem as a machine data archiving service, MDAS or archive service 

1 9 which operates an archive service computer system IS, mdudu^ an arduve service web 

20 site 16. Hie archive sovice system IS maintahis a machme data archive service database 

21 or aicfaivd 17 in which the machine data coUection profiles 18 fiom customer com^^ 

13 
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1 of the merchants 2 are stored. The archive service web site 16 k mtetfeced to the internet 

2 4. The archive service j5 is pfefen*lyindepeiwl«rt of the merchants and 

3 by a merchants* association^ a financial mstitution or association thereof or may be an 

4 independent contractor. Alternatively, it is c(»nceivable that a merchant with a high 

5 vohmie of online sales could op^e its own in^ouse madune data ptoBHib collection and 

6 ardiiving service 15, for ftaud detection or posdbly for maiketmg purposes. 

7 Referring to Fig. 2, a customer conqmter system 5 indudes a customa' computer 

8 20interfecedtothe intenaet4lqrway of a piimaiy gateway 22, as of an internet sem 

9 provider (ISP). The computer 20 m^ be one ofmany on a local area network or LAN 
24 whidbi inchides a rout^ or switch whidi routes data from the mtecoet 4 to the 
computwisonthenetwoilc The computer 20 may commumcate through the mtemet 4 by 
way of a HTTP (hypertext transit- protocol) proxy 26, which disguises the intemet 
protocol (EP) address of the actual gateway 22. The computQ- 20 accesses web sites on 
the hitemet 4 udog a customer web browso- 28 which processes HTML laqgu^e and 
various other standard web oriented lai^guages to di^lay or otherwise render the content 
of web pages and kteract therewith. The browser 28 is nonnally oiabled to accept 
"cooldes" 30 which are stored m a cookie file. Cookies 30 arc data strings which sre 
issued by web sites and give an hidication of a previous vistf to a particular web site and 
may indicate a particular configuration or set of preferences of the customei's setup of the 
computer 20. l^picaUy, *he customer computer 20 has a time of day clock/calendar 32. 
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1 The customo* computer 20 may have a £xed IP address, d^ending on the manner 

2 in which his interfaced to the internet. More commonly, the customer cominiter 20 vnlt 

3 have a temporary or dynamicalfyasagnedff address wMch is detenninedb 

4 router 22. The primary router 22 has an IP address, as do a router of a LAN 24 or an 

5 Blip proxy 26 ifeither is presemm the customer's coii^uter system 5. 

6 £%. 3 illustrates tiie prindpal actions or st^s of a general or basic proc^ 34 of 

7 the |»rocessl for coflectingmaduneidenti^g data fitom customer conpi^ At step 

8 35, at least one machme identi^g proBle parameter is ci^tured upon access of a 

9 customer computer 5 or other online acc^s device vMi a host or merchant web ate 3. A = 

1 0 unique transaction identifier or TA/n> is gaietated at 36 and assodated at 37 with the 

11 captured profile parameter. The transaction ID is also assodated at step 38 with a 
. 12 tran«iction record goierated as a result oftheinteractioa or transaction conducted 

13 between the customer computo' 5 and a merdiantwd>dte 3. Although not spedfically 

14 ^own in Hg. 3, the i»x)cess 34 m^ culture madiine profile data ti^ 

1 5 customer computer 5 to the merchant computer 3 as an inherent step of the customer 

16 computar 5 accessing the merdiaiit compute- 3. Attonativdy, the process 34 may pass 

1 7 routines to the customer computer 5 to cause it to ''sdf-identi^' itsdf by querying certam 

1 8 configuration paramet^ and passing such infinrnation to a machine profile stored dtfaer 

1 9 witlun the merchant's system 2 or m a third party ardiive 17. The process 34, thus;, 

20 encon]|)asses a two-party mbodiment or a three party embodiment of the machine data 

21 coUection and andiivii^ process 1 of the present inventi^ 

15 
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1 Reining particularly to Fjg. 4, a nK>repaitia]lartiiree p 

2 macldne data collection and archiving process 1 begins at step 40 with the coding of a 

3 fliadiine data collection (NdDC) script request into the wd) page code fi>r a transaction 

4 form of a merchant web site 3 . When a customer 5 accesses the merchant transaction 

5 fonn at stq) 42, the customer browser 28 processes the transaction page code, 

€ the MDC script request, which causes the MDC script request to be communicated to the 

7 ardave service website 16 at step 44. The script request arrives at the ardiive service 15 

8 with a set of customer madime paramet^ which prmdpalty provide a return path for the 

9 MDC sci^tfixjmtiifi archive serrice 15 to the customer 5. The customer madiine 

1 0 parameter set preferably mchides "user agent" information, ^ch is the version of flie 

11 customer browser 2S. 

12 At stq> 46, the arc^esoMce 15 generates a unupie transaction ID string and 

13 associates it with the customer madiine parameter set m the MDAS ardiive 17. At step 

14 48, the archive Service returns the MDC script, with the transaction ID embedded withhi 

15 it, to the customer browser 28. At stq) 50, the customer browser 28 processes the MDC 

1 6 script vriiich, at a muumum, writes the transaction ID string mto the merchant's transaction 

17 form. Assumu^ that the customer 5 completes the transaction and subniits the tiansactioa 

18 fonn to the merchant 2 at step 52, the transaction ID string is stored with the transaction 

19 data record 6 in the menihant transaction database 7. The transaction ID, tinis, indirectly 
2 0 associates the machme data parameter set 18 stored m the MDAS ardiive 17 at step 54 
21 witfa the customer identify information stored witii the tisnsaotiondQtanc^ 
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1 merchant's transaction database 7. Thereafter, qualified parties may access the MDAS 

2 archive 17 for information related to a transaction ID. 

3 The MDAS archive 17 need not contain any information which specifically 

4 idartifies a particular customer, only the machine parameter profiles 18 with assodated 

5 transaction ID strings. The MDAS archive records 18 cim be analyzed in coigun^ 

6 tiie merchant transaction records fbr patterns of fi:aud or for otiier purposes. The ^eat 

7 majorifyofMDASarchiverecordscanbepuigedfiomtiiean)hivel7afterasdected 

8 period of time. Any records which are associated witii any transaction irregularities or 

9 suspicions ofactualfi:aud may be retained longer. 

10 Fig. 5 iUustrates the principal stq)s of a preferred enibodiment 60 of the machine 

11 data coUection and archiving process 1 of the present mvention. The process 60 begins 

12 wiflitheadditionat62ofamachmedatacoHection(MDC)scripttotiietraiisa^^ 

13 form page code ofa merchant web 8ite3. The ttansaction form page code is processed at, 

14 64lqracustomerbrowser28whentiieriier<Aantw*pageisaccessedtotiier^ 

15 file MDC script at 66 from tiie Machme data archive service (MDAS) web site 16. When 

16 tiie browser 28 accesses tiie MDAS w* site 16, requesting tiie MDC script, tiie MDAS 

17 websitechedc8fbrtiiepresenoeofanMDAScookieatstep68. If no MDAS cookie is 

18 detected,anMDAScookieisgeneratedat70andaumque%ansactiottidentificati^^ 

19 (TA/ID) string is generated at 72. TheMDC script, ti^ansaotionE), and cookie, if not 

20 previously set, are returned at 74 to tiie customer browser 28, tiie transaction ID being 

21 embedded witiun tiie MDC script 
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1 When the MDCscsript is received by the browser 28, it is executed at 76. The 

2 cookie is stored in the cookie file 30, orpossibfy in the memoiy of the customer computer 

3 20. Ejrecutionofa prefixed MDCsci:^)t causes several actions to be petfoimed The 

4 MDC script \wites the transaction ID into the transaction form at step 78. The script can 

5 do this by «ther setting an eristing variable ofan appropriate name to the transa^ 

6 string or by writing an appropriate variable mto the transaction fonn page and setting its 

7 vahie to the transaction ID string. Additionally, the prefenedMDCsaipt generates a 

8 '*fingeiprintf'ofthe customer computer 20 at stq> 80 and attenqyts to perfbnn a proagr 

9 pierdqg operation at step 82. 

In generating the machine iBngetprint at 80, tiie MDC script queries the browser 28 
for a number of attributes and settmgs and concatenates the results into an attribute string 
at 84. The MDC script then perfonns a hashmg algorithm on the attribute string at 80 to 
generate a fingerprint string which has ahigfa degree of uniqueness. Hashmg functions are 
irreversible enciyption processes m which the result is d^dent on the origuial content of 
the data om^ch the hashing algorithm is operated. HasMngfiinctionsai© commonly 
used fcr data mtegri^checku^g. As previously stated, a common diecksum is the resiiH 
of a type of hashmg fimction. The particular hasUng fimction employed preferably 
niatdmizes the uniqueness of the resulting fingerprint 

At step 86, the customs- computer dock 32 is queried for a cuiT«it time vahie. At 
stq) 88, Ae fingerprint; tiie tnuisaction ID, and tiie time value are communicated to the 
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1 MDAS web she 16 along with an HTTP header with cookie and "apparent" IP address, all 

2 of which are stored as ftmadiine data profile IS within the MDAS archive 17. 

3 At step 90, the I^scrqrt adds a proxy pieiwr request to the tramactionfonn 

4 which, when executed by the browser 28 at step 92, sends a request for a proxy piercer 

5 applet or code to the MDAS web site 16. When the projgr piercer applet/code is executed 

6 by the browser 28 at 94, a time value firpm the dock 32 is again queried at 96 and aiqr 

7 existing local ai«a network (LAN) address is queried at 98. At stq) 100, tiieprojqr piercer 

8 applet/code sends tiie time value, the LAN address (tf any), and tiie transaction ro to A^^^ 

9 MDAS web site 16 by a protocol which bypasses any existing HTTP proxy 26. The 

10 protocol used is one which is a* a lower level tiian HTTP, sudi as UDP (user datagram 

11 protocol) or, preferably, TCP/IP (tnmsmission control protocoWnternetprotocoO. 

12 Bypassing the HTTP pro^Qr 26 causes the data sent in st^ 100 to arrive at the 

1 3 MDAS web site 16 witii tiie IP address of the primary gateway 22, which may be different 

14 from any apparent IP address previously recorded if anHTTP pitoxy 26 intervenes. If tiie 

15 prosy piercer procedure 82 is successful, tiie primary gateway IP address is stored at step 

16 102 witiutt tiie machme data proffle 18 identified by the transaction ID. It should be noted 

17 tiiat some types of proxies, such as some types of firewalls, may block all non-HTTP 

18 protocol packets, so tiiat tiie proxy piercer procedure 82 ndjght not be successfiil m all 

19 cases. 
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1 iftheoistom^ completes tiietraiisaction\vith the ^ 

2 tfansaction foim is subgoitted at step 104, which causes the transaction record 6, includiqg 

3 the tfansaction ID, to'be stored at step 105 in the merchant database 7 for processkg. 

4 Following are examples of code for an AdDC saipt, as from steps 40 or 62. 

5 Assumiog &e machbe dat^i archiving service or MDAS web site 16 has the fictional URL 

6 (miiform resource locator) esan^le<'iiri.net and a s^edfic merchant ha^ 

7 IdeantifierMMM; a line ofBXNffi. code is added at step 40 to the transact 

8 merchamMMM between the <^orn£> and <^fi>niP>Hri^t^^ 

When tiie customer browser 28 processes the transaction iorm at step 42, h 
requests a script file fi-om the source URL: httDs://wvm.e yflmpf^iiri nt ^a/TMMM. 

At step 44, the customer web browser 28 requests the MDC script by way of ^ 
BTTPprotocoL The HTTP request inchides the merchant ID MMH the user agent ' 
(browser version), the IP addl«8S of the customer's HTTP proxy, and any HTTP cookies 
previously 8«it to the customer by www.example-uitnet Upon recavmg this 
infonnation, the archive service 16 records this information in a machine data record 
which also indudes the transaction ID. 

Upon receiving the file request, the archive service 16 generates a unique 
tnmsaction ID (represented bdow as ZZ2) at step 46 to be associated wi^ 
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1 and the machine parametfsr set. An exemplaiy transaction ID is a string of24 letters and 

2 digits. The first ei^ xligits form a time^stamp.whidi is a hexadecimal represwrtation of 

3 the seconds elapsed since midnight January 1, 1970 UTG (coordinated universal time). 

4 In the preferred embodiment of the process 1, the MDC script is written m an 

5 ECMAScript compUant language, such as JavaScript, JScript, or VBScript A JavaSoqit 

6 veraion of the MDC script is as follows (linebreaks and hidentations added for clarity): 
7 

8 document.tvrite("<nput name=transactionid ^^hidden vahieF^ZZ>-, 
9 

10 d=»newDateO; 
11 

12 t?=3600*d.getHours()4^*d.getSfiimtesO+d.getSecondsO; 
13 

14 document.vwite(''<imgheighf=lwidthf=l src=4ttp8y/www.example- 

15 url.net/tm=2ZZ&tF«"+t»-">"); 
16 

17 document.write("<appletheigbtF=lwidtlF=l 

18 codebase=https://www.example-url.net/ 

19 code=W?ZZZ> 

20 <paiBmname^vahie=2ZZx;/applee>"); 

21 • 
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1 Theejcemplai7MDCs<dptfflchidestiieumquetraiisa(^onI^ 

places. "Wh^ the saift executes on the customer computer 20, it Tvrites HTML code into 
the merdhant's order foiin. Spedficalfy: 

1> The saipt adds a hidden variable called "transactionid" to tiie merchant's 
tfansifUStida form and as^gos it the vahie of the transaction ID (ZZZ). When Ihe 
transaction fotm is submitted, the mmdiant recdves the transaction ID- and can associate 
it wift tiie transaction data record. 

2) The fliinipt computes the seconds elapsed since midniglit on the clock 32 
and writes a request for a 1 pixel by 1 pixel unage. Included in the request is the 
transaction ID and the time vahie. When the request executes, this data is s^ back to the 
archive service 16 mi recorded mth .the transaction ID in the MDAS archive 17. 

3) The script adds a request tor a program located at the archive stfvice web 
site 16 which, in this example, is a Java applet The applet downloads to tiie customer 
computer 20 trom the arcluve service 16 and executes, j^pearing as a I pixd by 1 pixel 
hnage on the transaction form. The transaction ID is passed to the program as a 
parameter spedfied in the sraipt. The program performs three taslcs: 

a) it calculates TTT, the seconds elapsed surce midnight on the system dock 
32; 

b) it calculates AAA, the address oftiiecustomear 20 on Its own local area 
network 24; and 
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1 c) it sends this data back to the archhre service 16 vk TCP/IP, by requ 

2 thefollowiAgl^: 

4 The archive service 16 recdves the message vMch includes the parameters TTT, 

5 AAA, and ZZZ. The message also mchides the IP address of the sender. This address is 

6 the customer's actual IP address, which in some cases is different from the HTTP proxy IP 

7 address. The archive service 16 records this information in the MDAS archive 17 and 

8 associates it with the teinsacdon ID ZZZ. 

9 The machine data collection and archiving process 1 of the present invention has - 

10 been desaibed with a particular appHcationm fraud detection Hbwe^ 

1 1 that the techniques of the present mvention have a wider application, as for marketing or 

12 computer support purposes, or other fimctions. Wlule flie process 1 has been described 

1 3 with reference to the internet 4 or world wide web, it is also conceivable that the process 1 

1 4 could be employed on computer networks of less than ^obal expanse, such as a large 

1 5 mtranel^ a national or r^onal networic, or the like. 

1 6 Therefore, it is to be und^stood that while certam forms of the present invention 

1 7 have been illustrated and described herem, the present hivention is not ratended to be 

18 limited to the spedfic forms, arrangement of parts, sequence of steps, or particular 

19 applications desoibed and shown. 
20 
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CLAIMS 

What is daimed and desn^ to secure by Letteis Patent is: 
A process for collecting machine identi^diig information associated with a digital 
online access device used for substantially anoiqrmousty accessing a host computer 
system over a digital networlc; said host computer system generatmg an intoactiaa 

record of an access therewith by said access device, and said process comprishig 

the steps of- 

(a) capturing a machme id«iti^rag profile parameter upon said access device 
accessuig said host computer system; 

(b) generating a umque interaction identification string upon said access device 
accessing said host computer syst^ 

(c) associating said mteraction identification string with said profite parameter; 
and 

(d) associating said toteractionidetttificafion string with said mter^ 
generated upon said access device accessor said host computer system 

A process as set &Hk in Claim 1 wherdn said capturing step includes the step of 
(a) capturing a digital address of said access de^ce on said digital- network. 

A process as set fi>rth in Claim 1 wherdn said capturing step hichides the step oC 
(a) capturing a configuration setting of said access device. 
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4. A process as set forth in Claim 1 and includii^ the steps of: 

(a) communicating a self-identification routine to said access device upon said 
access device accesang said host computor system; 

(b) said access device executing said self-identification routine; 

(c) said self4deii|ification routine quei^Ag a conjuration settiiqg of said 
access device to derive said profile parameter and 

said self-id^itification routine communicating said profile parameter to a 
rmote location for assodation with said interaction identification string; 

5. A process as set foitii in Claim 1 and includiflg^^ 

(a) said host system operating a host web site including an interaction page 
generated by int^action page code processed by said access device upon 
accessing said host web site; and 

(b) coding, within said interactidn page code^ a seUridentilfication routme 
which causes said access device to communicate said profile paraimeter 
when said access device processes said interaction page code. 

6. A process as set forth in Claim 3 and including the itep of: 

(a) codmg said self-identification routine in such a manner that said profile 
parameter and said interaction identification string are communicated to a 

25 
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tliifd party web site at vMck said profile parameter and said interaction 
identtfioation string are stored. . 

A process tor id^iti^g a customer computer involved in an online transaction 
between a customer usoqg a customer browser operating on said customer 

computer and a mei^hant openititig a mercbant web site, said method coinprisi^ 
Ilie8teps(»e 

(a) capturing a customer computer prafite parameter upon said customs- 
compute accessuig said m^chant w^ site; 

« 

(b) geaeratii^ a transaction identification string and assodating said stm^ 
with said parameter; 

(c) storing said parameter and said striqg in a machine data archive; 

(d) upon said customer completiqg a transaction tbrou^ saidmerchant web 
sit^ storing said transaction identification string with a transaction record 
foimed duiii^ said transaction to 1faerd>y assodate stad parameter wifii 
said transaction record through said string. 

A process as set forth m Claim 7 wherem said captiiring step mdudes the step of 
(a) capturing an IP address of said customer computer. 



26 



wo 01/97134 PCT/USOl/18076 



9. Aprocess as set forth in Claim 7 \n*erein said capturing step includes the step of 
(a) capturing a configuration setting of said customer computer. 

10. Aprocess a^ set forth in Claim 7 and including the step of: 

(a) communicating said profile parameter and said transaction identification 

string to a third party web site fi)r storage. 

11. A process as set forth in Claim 7 and inchiding the stq) of! 

(a) causing said customer computer to communicate said profile parametM- and 
said transaction identification string to a third party web site for storage. 

12. AprocessassetfortiiinClaim7aidinchi(fingthestqpaof 

(a) commumcating a sdf-identification routine to said customs computer 
upon said customer computo* accesang said merchant web site; 

(b) . said customer computer executing said self-identification routine; 

(c) said sdf-identification routine querying a configuration setting of said 
customer computo- to doive said profile panuneter, and 

(d) said self-identification routine communicating said profile parameter to a 

remote location for association witii said toteraction identification string. 
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13; .A]>roGessas8etfoiihmC3Mml28i^iiicMi^tiiestepo£ 

(a) coding said seif*identification routine in such a manner that said profile 
parameter and said interaction identification string are conuhunicated to a 
third party web site at which said projBle paramet^ and said interaction 
identification string are stored. 

14. A process as set forth in Claim 12 wherem said querying step includes the steps of 

(a) querymg said customer browser for a pluraKty of configuration settings; 

(b) formmg an attribute sfcring fi-om said pluralhy of configuration settiqgs; and 

(c) processing said attribute string to form said profile paiameter of said 
customer computer. 

IS. Aprocess as set forth in Claim 12 wherein said customs computer potentially 
accesses said merchant web site by way of a proxy, and said communicatmg step 
inchides the steps o£ 

(a) communicating said profile parameter and said transaction identification 
striiiig to said remote web site using a protocol wUch bypasses said proxy. 

16. A process for identi^g a customer computer involved m an onlme transaction 
tiirough a merchant web site betv^een a customer usu^ a customer browser 
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Operating on said customer computer and a madiant who operates said web site, 
said metliod comprising the steps of: 

(a) coding a script request within a transaction form of said merchant web site; 

(b) processing said script request by said customer browser upon accessmg 
said merchant web site to tberdby communicate to an ardiiver web ate of a 
maditoe data archiving seivice an dectronic requert 

collection script; 

(c) said arcWver web ate retuinmgsiud script to said customer browser along 
-vnth a unique transaction identification string; 

(d) said customs- bitiwser processuig smd script to thereby cause said script to 
queiy said customer computer for a profile parameter of said customer 
computet; 

(e) said script caudog said customer bnmser to communicate said profile 
parameter and said transaction identification string to said ardiiver w* 
sit^ 

(f) said archiver web site storing said profile parameter and said transaction 
identification string in a madune data profile; 

(g) said script causing said customer browser td write said transaction 
identification string into said transaction form; and 

(h) upon said customer adcHng customer identification mformation to said 
transaction fonn and electronically submitting said transaction form to said 
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mer(tot web site to thereby comprise a tiB^ 

transaction identification string assodatii^g said transaction record with said 
madune data profite. 

17. Aprocess as set forth in Qaim 16 and including the steps of 

(a) said script causing said computer browser to comnnmic^ said pitjffle 
parameter and said transaction identification string alo^g with a 
conventional hypertext transfer protocol (HTTP) headen and 

(b) said archiver service additionaUy storing said HTIP header in assod^^ 
with said machine data profile. 

18. AproeessassetforthinCaaiml6andinchidingthestq)Qfi 

(a) said script queryinig sdd customer browser for a configuiation settii^ 
tho^ 

19. A process as set forth in Claim 15 and including the st^s of 

(a) said script queiyu« said customer browsw for a pUiraHty of con^iia^ 



(b) said script forming an attribute string fi^m said phitali^ of configuration 
settings; and 
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(c) said script processing said attribute string to form said proffle parameter of 
said customer computer.- 

20. A process as set forth in Claim 19 wherdn said script processing step includes the 
step of 

(a) said script peifonning a hashing fbnction on said attribute string to form 
said profile parameter. 

21. A process as set forth in Clahn 16 wh^in said customer computer potentially 
accesses said merchant web site by way of a projgr, and hwhidmg the step of. 
(a) swd script communicating said profile parameter and said transaction 

identification string to stdd archiver service wefe ate ua^ a.protocol which 
bypasses said projq^. 

22. A process as set forth in Gaim 16 and indludiog the step o£ 

(a) said script communicating said profile parameter to said archive service 
web site uidng a protocol other than HTTP. 

23. A process as set forth in Oahn 16 wherein said customer computer indudes a 
digital dock, and inchiding the steps o£ 
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(a) said soiptcausiiig said customer browser to queiy said doi^&r a tu^ 
value; aad • . 

(b) said script causing said (ustom^bmws^ to send said time vahie to said 
arcliiver service web site along with said profUe parameter. 

24. A process for ideotifyiog a customer computer involved in aaonfine transaction 
through a merchant wd> site between a customer using a customer browser 
operating on said customo* computer and a merdiant who operates said web ate, 
said method comprising the steps o£ 

(a) codbg a scrq>t request within a transaction form ofsaid merdiant web site; 

(b) processing said acnpt request by said customer browser upon accessmg 

said mmdianl web site to tfaer^ communicate to. an Mduver wdj site of a 
machine data ardiiviog service an dectronic request fi>r a m ^d^i ne data 
collectiQni s(»ip^ 

(c) said arcMver web site retuinu^ said script to said custonier browser along 
with a unique transactioii id^tiflcation string 

(d) said customer browser processing said script to thereby cause said script 

to: ' 

(1) queiy said custonier browser for a phuafity of configuration 
sitings; 

(2) form an attribute string fix)m said phirality of configuration settings; 
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(3) p&Som 8 haslung fimction on said attribute string to fonn said 
profile paiamet^, and 

(4) query an internal digital clodc of said customer computer for a 
current time value; 

(e) said script causing said customer browser to communicate said proffle 
parameter, said time vahie^ and said transaction identification string to s^d 
archiver web site along vitii a conv^onal HTTP header; 

(f) said archiver web site storing said profile parameter, said time value, and 
said transaction identification string in a machine data profile; 

(g) said soipt causing sdd customs iMxwser to write said transaction 
identification String into said transaction fi^nn; and 

(h) upon said customer adding customer identification information to said 
transaction tona and dectronicalljr sobmittiiiig said transaction fi^nn to said 
merchant web site to tiiad)y comprise a transaction record, said 
transaction identification string associating said ti-ansaction record witii said 

machine data profile. 

25. A process as set forth in Chum 24 wherdn said customer computer potentially 
accesses said merchant web site by way of a proxy, and including tiie steps o£ 
(a) said script queiying said customs computer for a second profile param^ei^ 
and 
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(b) said sciii>t comnnitiicating said second profileppiameter and said 

transaction identification- string to said arcliivesr sendee site using a 
protocd 1»M<^ bypasses said jHX)}^. 

26. A process as set forth in Claim 25 and induding tlie step of. 

(a) said script communicating said second profile parameter to said archiver 
service web ate using a protocol other to HTTP. 
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FIG. 2. 
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